On 02/11/2009 06:20 AM, Frank Hecker:
Ian G wrote:
The policy says, we need published information, *eg* the CPS.
Not, "CPS must be published."
Yes, exactly. We typically use the CPS and/or CP because almost all CAs
publish those documents; however there is no requirement that the
information published by the CA be in the form of a CPS or CP.
But it must have relevance to what was audited, no? If the document
wasn't an official and binding part of the audit, it shouldn't be used
in this context either I think. Nor shouldn't it be provided and
published after the audit was performed.
Speaking personally, I think think that it is good practice for CAs to
publish a CPS. If a CA has private information relating to detailed
internal processes that it does not wish to make public, I suggest that
it put such material in a separate "CA operations manual" that is
internal-only.
That's of course what CAs usually do. They disclose those procedures to
the auditor, but not publicly. WebTrust has a defined set of criterion
about what exactly needs to be disclosed publicly. In this respect I
question the usefulness of the ETSI audit criteria and I
suggest/recommend to make the publishing of the CPS a requirement in the
Mozilla CA policy. I assumed wrongly that this is a requirement by the
audit criterion which Mozilla accepts.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
